๐Ÿ” CVE Alert

CVE-2026-49977

MEDIUM 4.3

tarteaucitron.js: data-cookie attribute can be used to delete arbitrary cookies

CVSS Score
4.3
EPSS Score
0.0%
EPSS Percentile
0th

tarteaucitron.js is a compliant and accessible cookie banner. Prior to 1.33.0, tarteaucitron.cookie.purge() is called on any element with the purgeBtn class and does not check whether the element is a legitimate tarteaucitron button or whether the cookie corresponds to a service handled by tarteaucitron. If an attacker can write HTML with data attributes, an element with data-cookie can silently delete a non-HttpOnly cookie with a known name when clicked by a user. This issue is fixed in version 1.33.0.

CWE CWE-285
Vendor amauric
Product tarteaucitron.js
Published Jul 17, 2026
Last Updated Jul 17, 2026
Stay Ahead of the Next One

Get instant alerts for amauric tarteaucitron.js

Be the first to know when new medium vulnerabilities affecting amauric tarteaucitron.js are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Affected Versions

AmauriC / tarteaucitron.js
< 1.33.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/AmauriC/tarteaucitron.js/security/advisories/GHSA-jxj7-g6gm-49j7 github.com: https://github.com/AmauriC/tarteaucitron.js/commit/24b5464400ae2ff1ad96a092c629b9d632b9cc93 github.com: https://github.com/AmauriC/tarteaucitron.js/releases/tag/v1.33.0 drupal.org: https://www.drupal.org/sa-contrib-2026-040